US12248574B1ActiveUtility

Ai identification of computer resources subjected to ransomware attack

84
Assignee: INDEX ENGINES INCPriority: Jul 18, 2024Filed: Jul 18, 2024Granted: Mar 11, 2025
Est. expiryJul 18, 2044(~18 yrs left)· nominal 20-yr term from priority
G06F 2221/034G06F 21/566
84
PatentIndex Score
1
Cited by
14
References
16
Claims

Abstract

A method provides a set of computer data statistical profiles derived from a corresponding set of samples of computer data to a ransomware detection system and obtains a prediction of the likelihood of a ransomware attack in the set of samples of computer data. The system utilizes a machine learning system trained to achieve data models, with each model trained initially on a corresponding cluster of curated computer data statistics profiles, each cluster including statistics characterizing a corresponding cluster of curated samples resulting from exposing a selection of raw data samples to processing by actual ransomware. Each model is subject to iterations against initial validation data until performance convergences, with sample sources from the same backups not being present in both training and validation models. The models have been subject to final validation against actual customer data to address data drift that would otherwise result in excessive false predictions.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of assessing a likelihood of a presence of a ransomware attack on computer resources, the method comprising:
 providing as an input, to an AI ransomware detection system, a set of computer data statistical profiles derived from a corresponding set of samples of subject computer data, including data content and metadata; and 
 obtaining from the AI ransomware detection system an output predicting the likelihood of the presence of a ransomware attack in the set of samples of subject computer data; 
 wherein: 
 the AI ransomware detection system utilizes a machine learning system trained, to achieve a plurality of data models, (i) with each model trained initially on a corresponding cluster of curated computer data statistics profiles, (ii) each cluster of curated data statistics profiles being statistics characterizing a corresponding cluster of curated samples resulting from exposing a selection of raw data samples to processing by actual ransomware, and (iii) each selection of raw data samples reflecting a corresponding set of target criteria governing the selection; 
 each model subject to a plurality of iterations against initial validation data until there results a convergence of performance over successive iterations, with a determination during such iterations to ensure that sample sources from the same backups are not present in both training and validation models; and 
 the plurality of data models has been subject to final validation against actual customer data to address data drift between the curated samples and the actual customer data that would otherwise result in excessive false predictions. 
 
     
     
       2. A method according to  claim 1 , wherein the curated samples are derived systematically from a pipeline of data from detonated backups and other sources to create training data. 
     
     
       3. A method according to  claim 1 , wherein each machine learning model has been trained to distinguish among ransomware classes selected from the group consisting of (a) clean, (b) corrupted content with original filename, (c) corrupted content with well-known ransomware file extension, and (d) corrupted content with obfuscated filename. 
     
     
       4. A method according to  claim 3 , wherein each machine learning model has been further trained on the corresponding cluster of curated computer data statistics profiles that comprise a selection of clean data samples not exposed to actual ransomware and a selection of artificially generated data samples. 
     
     
       5. A method according to  claim 4 , wherein each machine learning model has been further trained on the corresponding cluster of curated computer data statistics profiles that comprise virtual data samples generated based on analyses of the selection of raw data samples exposed to processing by the actual ransomware, the selection of clean data samples not exposed to actual ransomware, and the selection of artificially generated data samples. 
     
     
       6. A method according to  claim 1 , wherein each cluster of curated data statistics profiles further being statistics characterizing a corresponding family of ransomware based on behavior during the processing of the raw data samples. 
     
     
       7. A method according to  claim 1 , wherein each machine learning model has been subject to the plurality of iterations against the initial validation data prepared by selecting a specific composition of class samples, ransomware classes, and rates of encrypted files. 
     
     
       8. A method according to  claim 7 , wherein each machine learning model has been fine-tuned after being initially training using a set of customer statistics. 
     
     
       9. A non-transitory computer readable storage medium encoded with instructions, that, when executive by an artificial intelligence (AI) ransomware detection system establishes computer processes for assessing a likelihood of a presence of a ransomware attack on computer resources, the computing processes comprising:
 providing as an input, to the AI ransomware detection system, a set of computer data statistical profiles derived from a corresponding set of samples of subject computer data, including data content and metadata; and 
 obtaining from the AI ransomware detection system an output predicting the likelihood of the presence of a ransomware attack in the set of samples of subject computer data; 
 wherein: 
 the AI ransomware detection system utilizes a machine learning system trained, to achieve a plurality of data models, (i) with each model trained initially on a corresponding cluster of curated computer data statistics profiles, (ii) each cluster of curated data statistics profiles being statistics characterizing a corresponding cluster of curated samples resulting from exposing a selection of raw data samples to processing by actual ransomware, and (iii) each selection of raw data samples reflecting a corresponding set of target criteria governing the selection; 
 each model subject to a plurality of iterations against initial validation data until there results a convergence of performance over successive iterations, with a determination during such iterations to ensure that sample sources from the same backups are not present in both training and validation models; and 
 the plurality of data models has been subject to final validation against actual customer data to address data drift between the curated samples and the actual customer data that would otherwise result in excessive false predictions. 
 
     
     
       10. A non-transitory computer-readable medium according to  claim 9 , wherein the curated samples are derived systematically from a pipeline of data from detonated backups and other sources to create training data. 
     
     
       11. A non-transitory computer-readable medium according to  claim 9 , wherein each machine learning model has been trained to distinguish among ransomware classes selected from the group consisting of (a) clean, (b) corrupted content with original filename, (c) corrupted content with well-known ransomware file extension, and (d) corrupted content with obfuscated filename. 
     
     
       12. A non-transitory computer-readable medium according to  claim 11 , wherein each machine learning model has been further trained on the corresponding cluster of curated computer data statistics profiles that comprise a selection of clean data samples not exposed to actual ransomware and a selection of artificially generated data samples. 
     
     
       13. A non-transitory computer-readable medium according to  claim 12 , wherein each machine learning model has been further trained on the corresponding cluster of curated computer data statistics profiles that comprise virtual data samples generated based on analyses of the selection of raw data samples exposed to processing by the actual ransomware, the selection of clean data samples not exposed to actual ransomware, and the selection of artificially generated data samples. 
     
     
       14. A non-transitory computer-readable medium according to  claim 9 , wherein each cluster of curated data statistics profiles further being statistics characterizing a corresponding family of ransomware based on behavior during the processing of the raw data samples. 
     
     
       15. A non-transitory computer-readable medium according to  claim 9 , wherein each machine learning model has been subject to the plurality of iterations against the initial validation data prepared by selecting a specific composition of class samples, ransomware classes, and rates of encrypted files. 
     
     
       16. A non-transitory computer-readable medium according to  claim 15 , wherein each machine learning model has been fine-tuned after being initially training using a set of customer statistics.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.